Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Enable Password Issues with ACS 5.1

Hi,

I'm guessing this one will be quite straightforward, but so far I just can't make this work.

I have two Tacacs+ accounts- admin (lvl 15) and troubleshoot (lvl 2), with authentication and authorization being performed on the ACS.

On the ACS I have configured account-specific login and enable mode passwords.

My Cisco device configs are as follows:

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication login CONSOLE none

aaa authorization config-commands

aaa authorization exec default group tacacs+

aaa authorization commands 2 default group tacacs+

aaa authorization commands 15 default group tacacs+

!
tacacs-server host x.x.x.x key TACACS
tacacs-server directed-request
!
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxx

When I login as the admin account it works beautifully.  I am placed directly into privileged exec mode and have full level 15 access.  I confirmed the ACS server is being referenced correctly with both 'debug tacacs' on the switch and Tacacs Authorization reports on the ACS itself.

However, when I login as 'troubleshoot', even though I am immediately shown the '#' enable prompt I only have standard user-mode commands.  Output from 'debug tacacs' shows that the correct shell profile (lvl 2) has been assigned by the ACS and I'm seeing the relevant command set being referenced in the authorization reports (as per attached screenshot).

Once I type 'enable' to move into privileged exec mode, the account has access to all commands permitted by the command set (in other words, it works fine).

So in summary, I guess my request is:

How to get the ACS to place me into 'privileged exec' mode as soon as I login with a level 2 shell profile (rather than having to manually enter this mode)?

Many thanks,

Duncan

2 REPLIES
Cisco Employee

Re: Enable Password Issues with ACS 5.1

Duncan,

     If you are going to do command authorization against ACS then you don't need to assign level 2, you will assign level 15 and then all commands are authorized against the ACS to determine if that user is allowed to run that command or not.  If you pass level 2 then only commands that are at level 2 or below will be shown to the user.

--Jesse

New Member

Re: Enable Password Issues with ACS 5.1

Jesse,

That makes perfect sense.  And as I thought, I'm kicking myself for not realising it earlier.

Thanks alot for your reply.

Kind regards,

Duncan

446
Views
5
Helpful
2
Replies
CreatePlease to create content